apache2 bootcamp : restricting access
TRANSCRIPT
Overview
● How to restrict access based on the user, client IP address, domain name, and browser version
● How to enable and configure Apache authentication modules
● How to use the user management tools provided with Apache
Authentication● Authentication : establishes the identity of parties in a
communication● Authentication in the Context of the Web :
– Use of passwords
– Use of certificates
● Authorization : deals with protecting access to resources, we can authorize based on :● IP address the user is coming from● The user’s browser● The content● The user is trying to access● Who the user is
Client Authentication
● The HTTP specification provides two authentication mechanisms: basic and digest
The username and password are transmitted in clear text
The username and password are transmitted in digest
Client AuthenticationUser Management
File-based authentication mechanisms
Database-based authentication mechanisms
Supported in Apache Bundles
LDAP (Lightweight Directory Access Protocol)
NIS (Network Information Services)
Supported in Third-party modules
Apache Authentication Modules
Authentication modules bundled with Apache
mod_auth
mod_auth_dbm
mod_auth_digest
mod_auth_anon
Apache Authentication ModulesCommon Functionality
Apache provides three built-in directives related to authentication that will be used with any of the authentication modules
AuthName AuthType Require
Require user joe bob
Require group employee contractor
Require valid-user
Example
Apache Authentication ModulesModule Functionality
Backend storage User management Authoritative information
Provide text or database files containing the username andgroups information
Supply tools for creating and managing users and groups inthe backend storage
Specify whether the results of the module are authoritative
File-Based Authentication
mod_auth
Provides basic authentication via text files containing usernames and passwords, similar to how traditional Unix authentication works with the /etc/passwd and /etc/groups files.
File-Based AuthenticationBackend Storage
Directives
AuthUserFile
AuthGroupFile
Take a path argument, pointing tothe users file
Take a path argument, pointing tothe users file
/etc/apache.passwords
/etc/apache.groups
admin:iFrlxqg0Q6RQ6
Examples
web: admin umar abdul aziz
Examples
File-Based AuthenticationUser Management
htpasswd -c file userid
htpasswd -c /usr/local/apache2/conf/htusers admin
Don't use -c options if you wantto add users to an existing password file
File-Based AuthenticationUsing mod_auth
<directory /usr/local/apache2/htdocs/private> AuthType Basic AuthName “Private Area” AuthUserFile /usr/local/apache2/conf/htusers AuthAuthoritative on Require valid-user</directory>
Database File-Based Access Control
mod_auth_dbm
More scalable and faster with because of indexed database files
Database File-Based Access ControlBackend Storage
mod_auth_dbm modules
Directives
AuthDBMUserFile
AuthDBMGroupFile
Database File-Based Access ControlUser Management
On Windows
install Crypt-PasswdMD5
If you are using ActiveState Perl, start the Perl package manager and type
perl ./dbmmanage.pl dbfile adduser userid
On Unix
./dbmmanage dbfile adduser userid
dbmmanage /usr/local/apache2/conf/dbmusers adduser daniel employee,engineering
dbmmanage dbfile delete daniel
Examples
htdbm
Database File-Based Access ControlUsing mod_auth_dbm
<directory /home/*/public_html> AuthType Basic AuthName “Private Area” AuthDBMUserFile /usr/local/apache2/conf/dbmusers AuthDBMGroupFile /usr/local/apache2/conf/dbmusers AuthDBMAuthoritative on Require group student faculty</directory>
Digest-Based AuthenticationBackend Storage
mod_auth_digest modules
AuthDigestFile
AuthDigestGroupFile
Directives
Digest-Based AuthenticationAdditional Directives
AuthDigestDomain
Takes a list of URLs that share the same realm and username password protection
Digest-Based AuthenticationUsing mod_auth_digest
<Location /private> AuthType Digest AuthName “Private Area” AuthDigestFile /usr/local/apache2/conf/digestusers AuthDigestDomain /private /private2 /private3 AuthDigestAuthoritative on Require valid-user</Location>
Access Control
● Access Rules● IP Addresses
– A Partial IP Address– A Network/Mask Pair
● Domain Name● Environment Variables● All Clients
Access RulesIP Addresses
IP Addresses
Allow from 10.0.0.1 10.0.0.2 10.0.0.3
A Partial IP Address
Deny from 10.0
A Network/Mask Pair
Allow from 10.0.0.0/255.255.255.0
Allow from 10.0.0.0/24
Access RulesDomain Name
Allow from example.com
Enabling access rules based on domain names will force Apache to do areverse DNS lookup on the client address, bypassing the settings of theHostNameLookups directive
Access Rules Evaluation
Deny,Allow <location /private> Order Deny,Allow Allow from 10.0.0.0/255.255.255.0 example.com Deny from all</location>
Allow,Deny
<location /some/location/> Order Allow,Deny Allow from all Deny from host.example.com</location>
Combining Access Methods
<Location /restricted> Allow from 10.0.0.0/255.255.255.0 AuthType Basic AuthName “Intranet” AuthUserFile /usr/local/apache2/conf/htusers AuthAuthoritative on Require valid-user Satisfy any</Location>
Limiting Access Based on HTTP Methods
HTTP Methods :
GET,POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK.
<Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS PROPFIND> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS PROPFIND> Order deny,allow Deny from all </LimitExcept></Directory>
Q&Ahttp://workshop.openthinklabs.com
Reference
● Daniel Lopez Ridruezo; SAMS Teach Yourself Apache2 in 24 Hours, SAMS Publishing, 2002 (Buy this book on Amazon)